« December 2010 | Main | February 2011 »
Posted at 12:03 AM in Cartoons | Permalink | Comments (0) | TrackBack (0)
What does future legislation in the field of privacy and data protection look like? An idea can be garnered by looking at the common ground between privacy advocates such as Privacy International (PI), academic groupings such as Cyberspace Law & Policy Centre at the Faculty of Law of the University of New South Wales (CLPC), and Regulators such as the Information Commissioner (ICO) and the European Data Protection Supervisor (EDPS).
All these groupings want a definition of personal data that reflects modern Internet reality, a more powerful privacy regulator, a reappraisal of the processing of personal data in the domestic circumstances, and a clear definition of when personal data are lawful processed.
In summary, there is an emerging consensus which can be seen by comparing the responses made to the European Commission in connection with its intention to reform of the Data Protection Directive. Any significant area of overlap in these submissions indicates agreement on its likely content. (All the mentioned submissions can be downloaded in full – see references at bottom of this blog).
Definitions
All respondents want any revised Directive to include definitions that capture behavioural advertising and the monitoring of Internet use. For example , the ICO states that “It is clear that information such as IP logs held by search engines are being used to identify individuals and to take action affecting them, in contexts ranging from behavioural advertising to digital rights management or national security. It is clear that data protection safeguards ought to apply to this sort of information”.
The EDPS achieves the same objectives by requiring all definitions to be “uniformly interpreted in all Member States, with no margin of implementation” coupled with the inclusion of further binding definitions of “anonymous data, pseudonymous data, judicial data, data transfer and data protection officer”. This tweaking of the definitions is subtle (e.g. an explicit definition of “anonymous data” implies that any data that is not “anonymous” could be treated as “personal data”). In this way those Internet activities that have cause controversy are unambiguously brought into the data protection framework.
The CLPC with the support of PI want personal data to be defined to include “information which allows individuals to be ‘targeted’ for customised action, whether involving direct contact or not, and even where the individuals cannot be actually identified”. CLPC has in mind “the increasingly common use of ‘analytics’ which can select individuals for attention; e.g. for customised direct marketing, presentation of webpage content etc, even though the data controller may not know, or even be able to find out, the actual identity of the target”. It argues that the “effect of this sort of intrusion on individuals’ privacy, based on analysis of their behaviour, is just as much a matter of privacy concern as if the controller actually knows their identity”.
In summary, it is not a question of whether a revised Data Protection Directive will apply to the use of IP addresses and URLs etc, the question is how will it apply?
Domestic circumstances
Both Privacy International and the Information Commissioner regret the lack of consideration by the Commission of whether or not the processing of personal data in the domestic circumstance needs revision.
PI state that “There is little mention of the challenge of dealing with the issue of individuals as data controllers” for instance in relation to “user generated content, bloggers, video makers that release a constant wave of personal data which is often public by default”. This is a phenomenon that “did not exist at the time of the formulation of the current Directive, and needs to be addressed in any future review, since an individual using a platform service cannot be treated in law in the same way as large service provider weather public or private”.
This finds support in the ICO submission which remarks that he “is disappointed” that “there was no discussion on clarifying the rules surrounding the use of data for domestic purposes, of particular importance in an online world” or the need “to balance a high standard of data protection against a strong upholding of the right to freedom of expression. In an age of online blogging, where should the line be drawn in any future law?”.
PI with the support of CLPC also seek an obligation so that default settings on the platforms that provide processing services to individuals (blogging sites, social networks, etc) are those that maximise individual privacy. This is supported by the EDPS who wants a "privacy by default" setting for the processing of such personal data.
Commentary on processing personal data in the domestic context
I share the concern over this lack of consideration as this issue is very important for two reasons.
First, many households are installing security CCTV systems which are sometimes used to monitor neighbours. In the UK these cameras are not regulated by Data Protection legislation because a wide exemption applies for the processing of personal data in a purely personal and domestic setting (within which these CCTV cameras are supposed to operate).
Yet complaints about the invasion of privacy by such cameras is growing in circumstances where there is little or no justification (e.g. there is no antisocial behaviour on the part of neighbours that could justify the need for cameras to record evidence of such behaviour). The question then arises is whether a data protection regime should apply to these domestic CCTV installations, and if it does apply, how would it then apply to those who take camcorders to record their young child’s performance in a school play or orchestra?
Secondly, there is the issue with respect to the use of the Internet to convey personal details. For instance, should a blogger who publishes personal data about others (e.g. friends) in a blog be subject to data protection rules? Does the same problem arise if an upload to YouTube shows images of others? And what about telling Facebook friends details of someone else if “Facebook friends” are not really friends at all (e.g. merely acquaintances)?
These questions are very important given that the European Court has already ruled (7 years ago) that the display of personal data on a web-site about fellow church-going members was a processing operation that was fully subject to a data protection regime (see Lindqvist - references).
In this case, the Court concluded that the act of publishing on a web-site meant that the processing was no longer limited to “personal affairs”; such processing therefore could not qualify for the “personal affairs” exemption. The consequence is that a data protection regime can fully apply to ordinary blogging etc. This ruling applies to all Member States who have implemented the current Data Protection Directive, although I am fairly confident that most domestic users of the Internet are unaware of these legal niceties and most Member States have refrained from stressing the ruling.
Is Lindqvist (or should it be) the correct view? If the Directive is not revised in this area, this judgement will remain. My own view is that the absence of the “domestic question” discussion in the European Commission’s consultation implies that the Commission thinks that Lindqvist is valid.
Lawful processing of personal data
PI state that “The protection of individual’s rights requires more than just considering definitions” and argues that “each Privacy Commissioner should explicitly be extended to the processing of personal data in circumstances where the processing at issue is alleged to cause a breach of Article 8 of the ECHR”.
CLPC add sentiments on the same line: “For example, it should have be possible for Commissioners to assess whether or not some processing is lawful (i.e. proportionate) in terms of Article 8 in cases such as international data sharing or with the retention of personal data” whereas the EDPS states that “The new legal instrument should be as precise as possible with regard to the core elements determining the lawfulness of data processing”.
So why the fuss about a simple question: “what is lawful processing”?
Commentary on lawful processing
It is important to understand why establishing the “core elements” of lawful processing of personal data is such an important issue. For example, suppose legislation states that “50 items of personal data are to be used for purpose X”. Such legislative rules make it difficult for any Commissioner to enforce a proposition that states that these 50 items of personal data are not relevant to purpose X, because the 50 items are deemed to be relevant because the law states they are needed in connection with purpose X.
The only way to avoid this legal equivalent of a short-circuit loop, is to ask whether the law itself is properly formed. For instance is the law “necessary” for the functioning of a democratic state and is the processing “proportionate” in the context of the processing objectives. Note that the focus of this inquiry has shifted from “the relevance of the personal data to purpose X” to “the nature of the law that requires those personal data to be processed”. This shift in focus is best achieved by using the legislative framework that regularly assesses questions such as “proportionality” and “necessity”: Article 8 of the Human Rights Convention.
The EDPS has often criticised data sharing agreements with the USA on the grounds of the sharing was not proportionate. Any linkage with Article 8 would give Privacy Commissioners the power to test this proposition in the Courts.
I think most Governments will resist this linkage as they would see it as an independent, unelected official interfering in the way in which Ministers decide policies and then get Parliaments to enact laws. Most neutrals see it is a way of ensuring that Ministers do not usurp their powers to make bad law and see this link as protecting the individual from the overbearing state. And we all know that in New Labour’s Surveillance Britain, there has been a lot of overbearing.
The resolution of the lawfulness issue is a litmus test on whether a new Directive enhances privacy protection for the individual. If there is no change, then the answer is a resounding “NO”.
Other issues
PI have asked the Commission to state that the right of access, correction and deletion of personal data should be delivered free of charge where possible. The argument is simple: if “Privacy by Design” is being promoted, these data subject rights should be designed into the system – and if they are designed into the data controller’s processing environment, they can be designed at minimal cost to the data subject.
PI, CLPC and EDPS all agree that there should be a general introduction of a provision to notify the data subject when personal data are lost. There appears to be almost a complete consensus around this issue – and expect it to feature in a revised Directive.
PI also want the “EU-US Safe Harbor Framework be included in this review, as several studies have documented massive compliance failures and lackluster enforcement”.
Final comment on process
I should mention that the EDPS states that the changes in privacy law should not be introduced by a new Directive. Instead he argues that a Regulation would be “a single instrument which is directly applicable in the Member States” as this “is the most effective means to protect the fundamental right to data protection and to create a real internal market where personal data can move freely and where the level of protection is equal independently of the country or the sector where the data are processed”.
Although the idea of a Regulation is well intentioned and seductively achieves all the above objectives, politically I think it is a non-runner. The idea that most of Europe’s democracies should enact processing rules in sensitive policing-type areas, at the behest of Brussels and a cohort of Ministers, with a minimal involvement of the European Parliament, hardly any from any national Parliament, or the involvement of a nation’s data controller or data subject communities is simply misplaced.
In my view, any such Regulation which applies to every citizen and business in Europe would not possess any democratic legitimacy in any Member State. It’s a recipe for disaster.
References
Lindqvist ECJ, Case C-101/01, 6 November 2003: http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?lang=en&num=79968893C19010101&doc=T&ouvert=T&seance=ARRET
Follow the link to load the EDPS submission to the Commission (Download EDPS response); to load the PI submission to the Commission (Download PI response); to load the CLPC submission to the Commission (Download CLPC response); to load Amberhawk’s own submission to the Commission (Download Amberhawk response), and to load the ICO submission to the Commission (Download ICO response)
Adverts re Data Protection courses
Our Spring UPDATE session is on 11th April in London: details of speakers and content on our web-site (and at £195+VAT for the day it is a real snip). We are also running a Privacy Impact Assessment Course, a RIPA course and a Data Protection Audit on consecutive dates (London, 21st to 23rd March).
We are starting a 5-day intensive data protection course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details from the Amberhawk website (www.amberhawk.com)
Posted at 10:08 AM in Data Protection, News | Permalink | Comments (0) | TrackBack (0)
If you are employed in the public sector forget about offences under the Data Protection Act if there is deliberate misuse of personal data. In the absence of a custodial sentence, in more serious cases prosecutors are increasingly opting for the blunt instrument that is the common law offence of 'malfeasance in public office'. The offence does not need "personal data" or a computer or even an official secret – all it needs is a public official to be caught deliberately doing the wrong thing.
The offence itself, because it is not based on statute, is not easily defined and perhaps this is why it is used. It gathers into one offence, a range of official misconducts, frauds, deceits, breaches of trust, and disclosures of information. 'Malfeasance in public office' has two related cousins – 'nonfeasance in public office' (e.g. a wilful neglect of duty) and 'misfeasance in public office' (e.g. malicious exercise of official duty). The punishment for this offence comes with a potentially unlimited custodial sentence and unlimited fine. As with all common law issues, the penalty depends on the circumstances and this provides another reason why it is preferred.
The offence is a prosecutor's dream - the ultimate in flexibility. No need to argue that there was personal data involved, especially if manual records are involved. Note that the malfeasance offence avoids all sorts of side issues. For example for a local authority, unauthorised disclosure of details from Housing Records is an offence, but unauthorised disclosure of Housing Benefits files is not. Also, in serious cases, the Section 55 offence of the DPA is non-custodial; malfeasance can carry a significant jail term.
For example, in April 2007, James Andrew Hardy a police officer who improperly accessed a police database and passed individuals' personal details on to a man with a violent criminal record has had his jail term increased by the Court of Appeal to nine months, following an appeal by the Attorney General. He had been previously found guilty of the malfeasance offence but was given a suspended prison sentence of 28 weeks and 300 hours of community service.
In January 2005, special constable Geraldine Tabor was fined £1,000 for malfeasance when she looked up the criminal records of fellow employees at the petrol station where she worked. Special constables are part-time volunteers and Ms. Tabor claimed she looked up the details because she suspected one employee of stealing fuel and the other of stealing bags of chocolate oranges. By contrast, in 2004, a police computer operator in Gwent was only fined £400 under the Data Protection Act for using the police database to look up four of her friends because she was bored.
In October 2005, a vehicle registration official, Barry Saul Dickinson, gave drivers' addresses to animal rights activists and was jailed, courtesy of the malfeasance offence, for five months. According to the police at the time 'Dickinson accessed DVLA computer systems to look up people's registration numbers', and passed names and addresses to animal rights extremists.
In June 2007, a civilian police worker pleaded guilty to malfeasance in a public office by leaking confidential details on terrorism to a newspaper. Thomas Lund-Lack, 59, who was working in the Metropolitan Police's counter-terrorism unit, disclosed a document to a Sunday Times journalist because he was fed up with Government policy. In this case, the further charge of breaching the Official Secrets Act was expected to be ordered to lie on file pending sentence. Just pause for a moment to reflect – if a prosecutor has to choose between malfeasance and Official Secrets, it is malfeasance which prevails!
All the above offences could have been brought under data protection, computer misuse or other legislation – all of which need some degree of technicality to overcome. For example, was the information in question actually personal data or stored on a computer? Malfeasance in public office does away with the technicalities. All it needs is evidence that someone misused their authority as a public official.
Public sector readers and contractors to the public sector should thus ensure that their training courses cover this offence.
Advert re DP and FOI courses
We are running several sets of data protection courses next year. We are running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Our next FOI course starts in Manchester on 26th January. As with Data Protection, these courses cover the FOI ISEB syllabus for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details on the “brochure” section of the Amberhawk website (www.amberhawk.com)
Posted at 03:11 PM in Data Protection, News, Other Information Law | Permalink | Comments (0) | TrackBack (0)
Yesterday, the final salvoes in the protracted legal battle over the tabloid exposure of Max Mosely’s romp with five prostitutes were fired at the Human Rights Court in Strasbourg. The outcome will determine whether there is a structural failure in the UK law which will be corrected if the press have to notify an individual under investigation, if details about that individual are about to appear on the front pages. This Blog reports on some of the arguments raised by both parties of the dispute (Application no. 48009/08, Mosley v the UK – see references)
Facts of the case
On 30 March 2008, the News of the World (NoW), published on its front page an article headed “F1 boss has sick Nazi orgy with 5 hookers”. The article opened with the sentence, “Formula 1 motor racing chief Max Mosley is today exposed as a secret sadomasochistic sex pervert” and several pages inside the newspaper were also devoted to the story. This included still photographs taken from video footage secretly recorded by one of the participants in the sexual activities. An edited extract of the video as well as still images were also published on the newspaper’s website and reproduced elsewhere on the internet.
The edited video footage was viewed over 1.4 million times over 30 and 31 March 2008. The online version of the article was visited over 400,000 times during the same period. The print version of the News of the World has an average circulation of over three million copies. On 6 April 2008, a second series of articles on the applicant’s sexual activities was published in the News of the World.
The Nazi element was included in the NoW headlines as Mosley is the son of Oswald Mosely, leader of the UK facist blackshirts in the 1930s. The Newspaper ran headlines such as “SECRET TAPES REVEAL VILE MOSLEY’S TRUE DEPRAVITY”, “MOSLEY’S TWISTED NAZI-STYLE RANT AT HOOKERS” and “Sick games WERE like death camps. However, it transpired in the UK Courts that newspaper staff did not check any speech for Nazi content and “the German was not even translated”. The Newspaper’s justification of the public interest, based on the Nazi dimension, thus collapsed.
That is why in the UK, the Court concluded that the newspaper articles and images constituted a breach of the applicant’s right to privacy. The judgment found that as there were no Nazi connotations in the applicant’s sexual activities, that there was therefore no public interest or justification in the publication of the article about his personal life and the accompanying images. Max Mosely was awarded costs and £60,000 damages.
The issues before the ECHR
The central issue before the European Court of Human Rights was identified by Eady J. in his UK judgement – compensation cannot compensate for embarrassment or humiliation.
“..Whereas reputation can be vindicated by an award of damages, in the sense that the claimant can be restored to the esteem in which he was previously held, that is not possible where embarrassing personal information has been released for general publication. As the media are well aware, once privacy has been infringed, the damage is done and the embarrassment is only augmented by pursuing a court action... (para 230)
In other words:
1. Given this state of affairs, should the NoW have contacted Max Mosely prior to publication to alert him to the fact of publication, knowing that Mosely would probably successfully apply for an injunction preventing publication?
2. If this is the case, has the UK a legal framework that allows the proper protection of the Article 8 right to a private life?
3. In order to protect that right, should the law require the press to make contact with those who are about to be prominently featured in a publication?
Eady J, also summarised the public interest arguments proffered by the NoW. For instance, he wrote in relation to the photographs published by the NoW:
“ ... A relevant consideration here is whether there is a public interest in revealing the material which is powerful enough to override Mr Mosley’s prima facie right to be protected in respect of the intrusive and demeaning nature of the photographs. I have little difficulty in answering that question in the negative. The only reason why these pictures are of interest is because they are mildly salacious and provide an opportunity to have a snigger at the expense of the participants...”
Commentary on the submissions
The UK Government’s position was that there is no need for a change in the law to require prior notification. This was based on the fact that the majority of European Countries did not have laws that required such contact, and for the Court to require this step would have wide ramifications far beyond the UK. If a law was enacted, there would be a host of unintended consequences.
For instance – what is a publication? If the Hawktalk blog reported the rumour that “David Beckham was to join Barnsley FC” – would I have to contact Beckham even though it is obvious that he would be delighted with the news? And what about Wikileaks – should they have contacted all USA diplomats before publishing those leaked Ambassadorial communications? How does one frame a law that works – for instance, what happens if contact is attempted and fails – can publication go ahead? Should there be an offence of failure to make contact?
Because of these practical issues, the UK argued that the matter was best left to the “margin of appreciation”, as national states know how its media and law operate in tandom. For instance, the media in the UK has a vibrant tabloid component which differs from other European States. Leaving it to Member States would also ensure that there would be no “chilling” effect on investigative journalism.
Finally, the UK picked up on evidence from the Editor of the Daily Mail who told a Parliamentary Committee that in 99% of cases “you should inform somebody that you are going to write an article about them before you publish it?”. If UK practice was 99% effective, it was then argued that there was no need for a change in the law to cover the rare 1% of cases. After all, hard cases make bad law.
The Counsel for Max Mosely put another gloss on this 99% statistic. He stated that if this was 99% of the practice, then there was no harm in taking a small step to make it a legal requirement for all cases.
Evidence supporting this view was found in the OFCOM code which required “Broadcasters must avoid unjust or unfair treatment of individuals or organisations in programmes”. In amplification of this requirement, the Code states that “Before broadcasting a factual programme.... anyone whose omission could be unfair to an individual or organisation has been offered an opportunity to contribute” (para 7.9 of the Code). In other words, if Broadcasters had to make contact with those who were featured in its investigations, so should the press.
Finally, in the 1% of cases where there was no contact with the target of an investigation, it was the Newspaper that was deciding that this was the appropriate step. This put the newspaper’s interests in the position of the judge (removing the decision about an injunction) and denied the individual the chance of obtaining injunctive relief.
The Counsel invoked the ECHR’s previous ruling in the case of I v Finland, and its obligation on the state to give real effect to Article 8 rights. As a result, the specific obligation to make contact with the target of an investigation was the only way of protecting the subject when the investigation was of the kind suffered by Max Mosely.
The Data Protection Act
I was surprised that the counsel for the UK argued that the DPA offers an effective remedy for Mr Mosely, in that he could require the deletion of personal data from various websites.
I am not so sure it does. The reason for this is that when Section 32 exemption was framed, it was intended by Government that the exemption fell away when the personal data was published – that is clear from the Parliamentary record. However, in the Naomi Campbell case, the Appeal Court (Lord Philips at para 189) concluded that Section 32 was of general application. This means the exemption applies after publication - and if so, there is no remedy for Mr. Mosely.
Conclusion – what do I think will happen?
This is a difficult one – it is too close to call. What I can say, is that if the end result is an obligation to inform individuals of an investigation, I can see how it have a chilling effect on investigative journalism dealing with fraud or malpractice. For that reason, I think the ECHR could avoid making a precise ruling that gives Mr. Mosely what he wants.
But if the ECHR goes down this route, it would not be the Human Rights regime that has caused the problem. It is that investigative journalism has been used by many national newspapers, not to reveal malfeasance, but reveal matters in order to titillate their readership.
References:
1. 90 minute recording of the public hearing before the ECHR – highly recommended (http://www.echr.coe.int/ECHR/EN/Header/Press/Multimedia/Webcasts+of+public+hearings/webcastEN_media?&p_url=20110111-1/en/)
2. The 99% figure is at Q594 of House of Commons, Culture, Media and Sport Committee Report into "Press standards, privacy and libel", Second Report, Session 2009–10, vol II.
3. The Ofcom Broadcasting Code (December 2010) is on its web-site
4. The UK Court decision before Eady J, Max Mosley and News Group Newspapers Limited [2008] EWHC 1777 (QB)
Advert re DP and FOI courses:
We are running several sets of data protection courses next year. We are starting a set of the 7-day DP course in London (beginning 18th January) and running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Our next FOI course starts in Manchester on 26th January. As with Data Protection, these courses cover the FOI ISEB syllabus for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details on the “brochure” section of the Amberhawk website (www.amberhawk.com)
Posted at 09:55 AM in Data Protection, News, Other Information Law | Permalink | Comments (2) | TrackBack (0)
Happy New Year. Isn’t it horrid to be back at work?
Normally the end of year holiday is very quiet – not so this year, so I have taken the opportunity to report on three issues that could have been easily missed since my last blog. The commentary deals with Smart Meters, Violent Warning Markers and Undertakings. Full references at end as usual.
Smart Metering
With the UK’s Government blessing, most public utilities are moving to “smart metering”. For instance, all old fashioned electricity meters are being replaced by 2020 with devices where consumers can find out, in real time, what resources are used by which device, and how much it costs to use. Such information, the Government hope, will reduce electricity consumption and carbon dioxide emissions; it will also make the visit from a meter reader as outdated as a visit from a Petty Chapman.
However, smart meters could allow public utilities to hold personal data about lifestyles – for example, how many times you cook food in an oven, when you have a bath, when you are at home or on holiday. Inferences could be made – for example, what do you think has happened if the meter readings are consistent with a shower in a two person flat being switched on four times – twice at 11.30pm and twice around midnight?
Also, if the authorities want to know whether someone is at home, they can monitor the real-time meter – perhaps relying on the exemption from the non disclosure provisions in section 29 (crime and taxation) to facilitate disclosure. Covert surveillance (e.g. such as that employed by Poole Borough Council in relation to its school admissions policy - see references) becomes unnecessary as an analysis of meter readings can be used to assess how much (and when) a property is being used as the prime domestic residence. Finally, burglars are likely to take an interest in very low-usage meter readings, so personal data security is a very important issue.
Before the holidays, the Ponemon Institute (an American Research organisation specialising in security and privacy) published research on USA consumer attitudes to smart metering. It shows that many consumers do not understand the range of details recorded or transmitted by a smart meter, and are not provided (or did not recall receiving) information about the installation of a smart meter. Consumers who claim to have the best understanding of a smart meter are most concerned about the impact on individual privacy. The major concern, not unsurprisingly, appears to be how the collection of personal information could reveal details about their lifestyle.
In other words, there are significant data protection issues about smart metering that have yet to be resolved (or even aired in public in the UK).
Violent warning markers
Slough Borough Council’s appeal against the awarding of libel damages was published just before Xmas. The Appeal relates to the placing of personal data (about Ms. Jane Clift) on Slough’s Register of Violent People which was then subsequently shared with other public bodies and within the Council. At the Lower Court, Ms Clift was successful in her argument that the sharing of her personal data was an unnecessary interference with her personal life and their distribution amounted to defamation. She was awarded £12K compensation and costs.
Slough’s appeal surrounded the legal point as to whether or not a Local Authority had a public-law, moral or social duty to disclose the details on the Violent Persons Register. If such a duty existed, the content of the disclosed personal data was irrelevant to the question of whether personal data, once placed on the Register, had to be disclosed. In other words, if Slough had such a lawful duty, then it followed that there could be no defamation as there was an obligation to disclose details from the Register.
Paragraph 35 of the Appeal judgment is the killer for the Council: “....Ill-considered and indiscriminate disclosure is bound to be disproportionate and no plea of administrative difficulty in verifying the information and limiting publication to those who truly have the need to know or those reasonably thought to be at risk can outweigh the substantial interference with the right to protect reputations. In my judgment the judge's ruling on proportionality is beyond challenge. To publish as widely as the Council did was to breach Ms Clift's Article 8 rights”.
Note that Appeal judgment has no commentary on any data protection issue and therefore does not illuminate the workings of the Act although the ICO’s Guidance on Violent Warning Markers gets a very cursory mention at paragraph 35 as part of a single sentence in 50 paragraph judgment. At best, one can tentatively assume that this Guidance was aired in Court, and the absence of detailed commentary in the judgement can be read as inferring some kind of acceptance of its content in relation to when to place personal data on the Register and when to disclose them - but that is as far as it goes.
I think the real question is: “Why did Slough B.C. bring this appeal?”. The facts of the case were explored in detail by the Lower Court and were found to be wanting; the Court accepted that Ms Clift was not someone who had been violent (or who was potentially violent), but rather someone who became frustrated with officials and complained about their lack of professionalism. Slough’s error was to take verbal statements such as “Right now, I wish she'd drop dead” too literally.
So what legal principle was Slough trying to establish by its Appeal? Was it “if we decide to put people on the Register, then there are no consequences?”. And because of the small nature of the compensation (£12K not £120K), the whole process seems to be a complete waste of resources, paid for by the taxpayer of course. Perhaps somebody in Slough has a big ego to protect, who knows? But quite evidently the maxim “once in a hole, stop digging” has yet to reach the Borough.
By the way, don’t say something like “I could murder a bag of chips” in Slough – you might get arrested.
Undertakings extended to FOI
The University of East Anglia (UEA) has signed the first Undertaking in relation to Freedom of Information (FOI). Until now, Undertakings have been signed by data controllers in relation to reported losses of personal data; the result is that all previous Undertakings have dealt with the Seventh Principle, but the odd one has contained additional requirements in relation to the First, Third, Fourth and Fifth Principles.
The context of this FOI undertaking concerns the failure to deal with EIR/FOI requests received by the UEA’s Climate Change Research Program. Do you recall those leaked emails (around February last year) which were used by the “No such thing as global warming” lobby to say that the science was being “fixed” to support a carbon dioxide theory of rising global temperature?
The subject matter got very political and resulted in a Parliamentary Select Committee Inquiry and a host of press headlines. In such circumstances, the Commissioner had no choice but to be seen to “do something” about the obvious FOI/EIR shortfalls which had been exposed and criticised publically.
The interesting fact is that there was no Enforcement Notice issued. This means that the ICO wanted to dispose of the subject with the minimum of fuss, and it is this aspect – the decision not to proceed down an official enforcement route - which helps explain why the Undertaking is likely to become more important to public authorities and data controllers.
DP and FOI Practitioners might want to look at “The Undertaking – 2010” (see references). This explores why the “Undertaking” is increasingly being used by the Information Commissioner as part of his enforcement options. The article considers the implications for data controllers, the lack of an appeals mechanism and the extension of “Undertakings” to breaches of any data protection principle. Now that analysis is relevant to FOI practitioners.
References:
1. The Ponemon Institute research document (Perceptions about Privacy on the Smart Grid) can be obtained from Mike Spinney, Senior Privacy Analyst, [email protected]. Re Poole surveillance: http://amberhawk.typepad.com/amberhawk/2010/08/swimming-in-the-surveillance-poole-the-real-privacy-problems-with-ripa.html
2. Clift v Slough Borough Council [2010] EWCA Civ 1484 (21 December 2010) URL: http://www.bailii.org/ew/cases/EWCA/Civ/2010/1484.html
3. The “Undertaking” analysis can be down loaded from http://www.amberhawk.com/policydoc.asp and the FOI undertaking itself can be found at http://www.ico.gov.uk/what_we_cover/promoting_openness/~/media/documents/library/Freedom_of_Information/Notices/uea_foi_undertaking.ashx.
Advert re DP and FOI courses:
We are running several sets of data protection courses next year. We are starting a set of the 7-day DP course in London (beginning 18th January) and running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Our next FOI course starts in Manchester on 26th January. As with Data Protection, these courses cover the FOI ISEB syllabus for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details on the “brochure” section of the Amberhawk website (www.amberhawk.com)
Posted at 10:03 AM in Data Protection, Freedom of Information, News | Permalink | Comments (2) | TrackBack (0)
All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.